The Hacker News — Cyber Security, Hacking, Technology News

No issues, your Wi-Fi router may soon be able to tell how you feel, even if you have a good poker face.

A team of researchers at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed a device that can measure human inner emotional states using wireless signals.

Dubbed EQ-Radio, the new device measures heartbeat, and breath to determine whether a person is happy, excited, sad, or angry.

Using EQ-Radio, which emits and captures reflected radio frequency (RF) waves, the team bounced waves off a person’s body to measure subtle changes in breathing patterns and heart rates.

This data was then run through a bunch of algorithms and a machine-learning process programmed to match a person's behavior to how they acted previously, categorizing the person's emotion as one of the four emotional states: Pleasure, Joy, Anger and Sadness.

The impressive part about the technique:

EQ-Radio doesn't require you to wear any sort of monitoring device or on-body sensor.

"The whole thing started by trying to understand how we can extract information about people’s emotions and health in general using something that’s completely passive—does not require people to wear anything on their body or have to express things themselves actively," says Prof. Dina Katabi, who conducted the research along with graduate students Mingmin Zhao and Fadel Adib.

In its test, the team says if their device is trained on each subject separately, it measures emotions with 87 percent accuracy and 72.3 percent accuracy when using a single classifier for all subjects.

EQ Radio uses the same carrier frequency as Wi-Fi, but with about 1,000 times less power, which means the system could be integrated into an existing Wi-Fi router or other devices that transmit and receives wireless signals.

According to the researchers, EQ-Radio, and similar systems may help in some practical situations, like:

movie makers and advertisers could use it to better evaluate people's reactions to their work in real time;

doctors could use it to diagnose mental health conditions like depression or bipolar disorder; and

it could also integrate into smart homes, adjust temperature, lighting, and music automatically to match the user's mood...

...all without the target's knowledge or consent. All it takes is some RF signals mixed with a set of algorithms and a dash of machine learning process.

For more technical details and working of the EQ-Radio device, you can head on to the research paper [PDF] titled, "Emotion Recognition using Wireless Signals."

Microsoft has finally decided to remove one of its controversial features Wi-Fi Sense network sharing feature from Windows 10 that shares your WiFi password with your Facebook, Skype and Outlook friends and enabled by default.

With the launch of Windows 10 last year, Microsoft introduced Wi-Fi Sense network sharing feature aimed at making it easy to share your password-protected WiFi network with your contacts within range, eliminating the hassle of manually logging in when they visit.

This WiFi password-sharing option immediately stirred up concerns from Windows 10 users especially those who thought the feature automatically shared your WiFi network with all your contacts who wanted access.

But Wi-Fi Sense actually hands over its users controls so they can select which networks to share and which contact list can access their Wi-Fi.

Also, the feature doesn't share the actual password used to protect your Wi-Fi, but it does give your contacts access to your network.

However, the biggest threat comes in when you choose to share your Wi-Fi access with any of your contact lists.

But, Who really wants to share their Wi-Fi codes with everyone in the contacts?

Of course, nobody wants.

Since the feature doesn't give you the option to share your network with selected individuals on Facebook, Skype or Outlook, anyone in your contact list with a malicious mind can perform Man-in-the-Middle (MITM) attacks.

Although Microsoft defended Wi-Fi Sense network-sharing as a useful feature, Windows users did not give it a good response, making the company remove WiFi Sense's contact sharing feature in its latest Windows 10 build 14342.

"The cost of updating the code to keep this feature working combined with low usage and low demand made this not worth further investment," said Microsoft Vice President Gabe Aul. "Wi-Fi Sense, if enabled, will continue to get you connected to open Wi-Fi hotspots that it knows about through crowdsourcing."

Microsoft just released its latest Windows 10 build for testers. The company will remove the Wi-Fi Sense password sharing feature as part of its Anniversary Update due in the summer, but will keep the Wi-Fi Sense feature that lets its users connect to open networks.

A researcher has demonstrated how easy it is to steal high-end drones, commonly deployed by government agencies and police forces, from 2 kilometres away with the help of less than $40 worth of hardware.

The attack was developed by IBM security researcher Nils Rodday, who recently presented his findings at Black Hat Asia 2016.

Hacking the $28,463 Drone with Less than $40 of Hardware

Rodday explained how security vulnerabilities in a drone's radio connection could leverage an attacker (with some basic knowledge of radio communications) to hijack the US$28,463 quadcopters with less than $40 of hardware.

Rodday discovered (PPT) two security flaws in the tested drone that gave him the ability to hack the device in seconds.

First, the connection between drone's controller module, known as telemetry box, and a user’s tablet uses extremely vulnerable 'WEP' (Wired-Equivalent Privacy) encryption – a protocol long known to be 'crackable in seconds.'

This flaw could be exploited by any attacker in Wi-Fi range of 100 meters to break into that connection and send a malicious command that disconnects the drone's owner of the network.

Second, the onboard chips used for communication between that telemetry module and the drone uses even less-secured radio protocol.

Hijacking Drones from 2 Kms Away

The module and drone communicate using 'Xbee' chip, created by the Minnesota-based chipmaker Digi International and is commonly used in unmanned aerial vehicles (UAVs) everywhere.

According to Rodday, Xbee chips do have built-in encryption capabilities, but for avoiding latency between the drone and the user's commands, the chips doesn't implement encryption.

This issue leaves the drones open to 'Man-in-the-Middle' (MitM) attacks, leveraging an attacker to intercept everything happening on the UAVs network connection and inject commands between the drone and the telemetry box from up to 2 kilometres away.

Furthermore, Rodday also warned that any sophisticated hacker with the ability to reverse engineer the drone's software would be able to send navigational controls, block all commands from the real operator, or even crash it to the ground.

Rodday's research proves that there are critical issues with what's likely the most expensive drone yet, as well as one that is used for more serious purposes than high-altitude selfies, which needs to be considered seriously.

Just one day after Microsoft released its new operating system, over 14 Million Windows users upgraded their PCs to Windows 10.

Of course, if you are one of the Millions, you should aware of Windows 10's Wi-Fi Sense feature that lets your friends automatically connects to your wireless network without providing the Wi-Fi password.

Smells like a horrible Security Risk! It even triggered a firestorm among some security experts, who warned that Wi-Fi Sense is a terrible and dangerous feature and that you should disable it right away.

Even some researchers advised Windows 10 users to rename their Wi-Fi access points.

Before discussing the risks of Wi-Fi Sense, let's first know how it works.

How Windows 10 Wi-Fi Sense works?

Windows 10 Wi-Fi Sense feature allows you to share your Wi-Fi password with your friends or contacts, as well as lets you automatically connect to networks that your friends and acquaintances have connected to in past, even if you don't know the password.

Now, when those friends are within the range of your Wi-Fi network, Windows 10 automatically joins the network with that saved password you just shared with your friends and logs them in, without prompting them for a password.

Enabled by Default, but It's not the actual Security Threat, Here's Why:

Wi-Fi Sense feature is enabled by default in Windows 10 to make it easier for users to receive instant access to the Shared Networks by their Friends or Contacts.

But, But, But… did you notice that the feature says "For networks I select..."?

Under "For networks I select..." option, you can explicitly control which group of contacts from which social networks get access to which Wi-Fi Network.

Until or unless you do not offer your Wi-Fi password to Wi-Fi Sense, it will not let selected contact group to connect to your network.

This means Wi-Fi password sharing option is OFF for every social network by default.

And of course even if you choose to share your Wi-Fi network with your contacts, Wi-Fi Sense only shares Internet access and not your actual Wi-Fi password.

Why You Should be Scared of Wi-Fi Sense (Actual Security Threat)

Microsoft promoted Wi-Fi sense as:

In simple words, now you don't need to read out loud your Wi-Fi password, character by character when your friends are at your home and want to use The Internet. So similarly, you don’t need to shout across the office or your friend’s house "What’s the Wi-Fi password?"

However:

"If you choose to share with your Facebook friends, any of your Facebook friends who are using Wi-Fi Sense on a Windows Phone will be able to connect to the network you shared when it's in range, You can't pick and choose individual contacts." -- Microsoft FAQ says.

As a general Internet user, I used to accept almost every friend request on the Facebook and also communicate with lots of people on Skype or Outlook. In short, the majority of people in my contact list are whom I don't know personally or trust.

So, If I can't choose any individual contact from my list, then enabling "Network password sharing feature" will share my network access with all my contacts in the selected social network.

Microsoft also Argued:

Neither it allows anyone to access your local resources so that nobody can hunt through your personal files.

However, We know that...

The biggest threat of sharing your Wi-Fi access with everyone on a list is just like you are allowing hackers to position themselves between you and the connection point i.e. Man-in-the-Middle attack.

In such attack scenarios, the hacker can access every piece of information you're sending out on the Internet, including important emails, account passwords or credit card information.

Sitting on the same network, an attacker can also target your machine directly using Metasploit or any other hacking tool.

Ultimately, Windows 10 Wi-Fi Sense probably is not the most secure feature in the world, but it is not that bad either, if in future, Microsoft could allow Windows 10 users to choose individual contacts from a group.

For Now… Should You Stop Using It?

Like many things in life, we have to make a choice between things that make our life comfortable and that provide us absolute security.

AND, if you are concerned more about security, just turn Wi-Fi Sense OFF.

How to Turn Windows 10 Wi-Fi Sense OFF?

To disable Wi-Fi Sense, go to Windows Settings, then Network & Internet and then click "Change Wi-Fi settings," and then "Manage Wi-Fi settings."

From there, you can change a variety of settings. Turn OFF everything under the Wi-Fi Sense heading; disable WI-Fi password sharing with Facebook, Outlook, or Skype; and have Wi-Fi Sense forget the list of known Wi-Fi networks.

It is possible for an attacker to create malicious Wi-Fi networks in order to crash nearby users’ mobile devices with incredible accuracy.

Also, even the "No iOS Zone" attack is capable to make iOS things within the range completely unusable by triggering constant numbers of reboots.

It is nothing but a DoS attack…

...that makes the device inaccessible by its users, just like in the case of websites and servers.

"Anyone can take any router and create a [malicious] Wi-Fi hotspot that forces [nearby users] to connect to [attackers] network, and then manipulate the traffic to cause [their mobile] apps and the operating system to crash," said Sharabani speaking at the RSA Conference.

So, What could be done in order to get rid of attacker's malicious Wi-Fi?

Just Run Away!

Yeah! It sounds really strange, but users have no other choice if they find themselves in this situation.

The only thing that could be done by iOS users is to run away from that malicious hotspot's range.

"There is nothing you can do about it other than physically running away from the attackers," Sharabani said. "This is not a denial-of-service [attack] where you can't use your Wi-Fi; this is a denial-of-service [attack] so you can't use your device even in offline mode."

Another best measure is to simply avoid the free wireless networks you find in the street providing public Internet access.

Now, Let's learn how it is possible:

All an attacker need to do is create a malicious wireless network that uses the Wi-Fi connection in order to manipulate SSL certificates sent to iOS handsets.

Once the devices are connected to this malicious wireless hotspot, the attacker can launch a malicious crafted script forcing denial-of-service (DoS) which causes the apps as well as the phone to crash.

Here's the Video Demonstration:

The duo has also produced videos showing the DoS attack on iOS devices in action. You can watch the video below. You can also download the PDF related to this wireless attack.

Both Sharabani and Amit have contacted Apple about this issue, but it is yet unclear whether the company has released a complete fix or not.

Due to this reason, the duo has decided to not to provide any additional technical details about the flaws and issues they exploited in their attack; just to make sure iOS users are not exposed to the danger of the exploit caused by this vulnerability.

A Greek security researcher, named George Chatzisofroniou, has developed a WiFi social engineering tool that is designed to steal credentials from users of secure Wi-Fi networks.

The tool, dubbed WiFiPhisher, has been released on the software development website GitHub on Sunday and is freely available for users.

"It's a social engineering attack that does not use brute forcing in contrast to other methods. It's an easy way to get WPA passwords," said George Chatzisofroniou.

However, there are several hacking tools available on the Internet that can hack a secure Wi-Fi network, but this tool automates multiple Wi-Fi hacking techniques which make it slightly different from others.

WiFiPhisher tool uses "Evil Twin" attack scenario. Same as Evil Twin, the tool first creates a phony wireless Access Point (AP) masquerade itself as the legitimate Wi-Fi AP. It then directs a denial of service (DoS) attack against the legitimate Wi-Fi access point, or creates RF interference around it that disconnects wireless users of the connection and and prompts users to inspect available networks.

Once disconnected from the legitimate Wi-Fi access point, the tool then force offline computers and devices to automatically re-connects to the evil twin, allowing the hacker to intercept all the traffic to that device.

The technique is also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP. These kind of attacks make use of phony access points with faked login pages to capture users’ Wi-Fi credentials, credit card numbers, launch man-in-the-middle attacks, or infect wireless hosts.

"WiFiPhisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase [and] does not include any brute forcing," Chatzisofroniou said. "WifiPhisher sniffs the area and copies the target access point's settings [and] creates a rogue wireless access point that is modeled on the target."

As soon as the victim requests any web page from the internet, WifiPhisher tool will serve the victim a realistic fake router configuration-looking page that will ask for WPA password confirmation due to a router firmware upgrade.

The tool, thus, could be used by hackers and cybercriminals to generate further phishing and man-in-the-middle attacks against connected users.

There is also criticism of the tool on several online discussion forums, because it would not be possible to set up a fake access point without a password.

"The tool is actually creating a second, unencrypted network. On Windows it will give you a warning that the configuration of the network has changed. On Android you'd have to manually reconnect to the unencrypted network. So their method doesn't automatically perform a man-in-the-middle attack," said one of the critics on Reddit.

Wifiphisher works on Kali Linux and is licensed under the MIT license. Users can download and install the tool on their Kali Linux distribution for free.

The MitM attack, dubbed DoubleDirect, enables an attacker to redirect a victim’s traffic of major websites such as Google, Facebook and Twitter to a device controlled by the attacker. Once done, cyber crooks can steal victims’ valuable personal data, such as email IDs, login credentials and banking information as well as can deliver malware to the targeted mobile device.

San Francisco-based mobile security firm Zimperium detailed the threat in a Thursday blog post, revealing that the DoubleDirect technique is being used by attackers in the wild in attacks against the users of web giants including Google, Facebook, Hotmail, Live.com and Twitter, across 31 countries, including the U.S., the U.K. and Canada.

DoubleDirect makes use of ICMP (Internet Control Message Protocol) redirect packets in order to change the routing tables of a host — used by routers to announce a machine of a better route for a certain destination.

In addition to iOS and Android devices, DoubleDirect potentially targets Mac OSX users as well. However, users of Windows and Linux are immune to the attack because their operating systems don't accept ICMP re-direction packets that carry the malicious traffic.

"An attacker can also use ICMP Redirect packets to alter the routing tables on the victim host, causing the traffic to flow via an arbitrary network path for a particular IP," Zimperium warned. "As a result, the attacker can launch a MitM attack, redirecting the victim’s traffic to his device."

"Once redirected, the attacker can compromise the mobile device by chaining the attack with an additional Client Side vulnerability (e.g.: browser vulnerability), and in turn, provide an attack with access to the corporate network."

The security firm tested the attack and it works on the latest versions of iOS, including version 8.1.1; most Android devices, including Nexus 5 and Lollipop; and also on OS X Yosemite. The firm also showed users how to manually disable ICMP Redirect on their Macs to remediate the issue.

"Zimperium is releasing this information at this time to increase awareness as some operating system vendors have yet to implement protection at this point from ICMP Redirect attacks as there are attacks in-the-wild," the post reads.

The company has provided a complete Proof-of-Concept (PoC) for the DoubleDirect Attack, users can downloaded it from the web. It demonstrates the possibility of a full-duplex ICMP redirect attack by predicting the IP addresses the victim tries to connect to, by sniffing the DNS traffic of the target; the next step consists of sending an ICMP redirect packet to all IP addresses.

A seven-year-old cyber espionage campaign has targeted senior level executives from large global companies by using a specialized Advanced Persistent Threat (APT), zero-day exploits, and well-developed keyloggers to extract information from them when they stay in luxury hotels during their business trips.

The researchers at Moscow-based security firm Kaspersky Lab dubbed the threat as "DarkHotel APT," appear to have the ability to know in advance when a targeted executive checks in and checks out of a hotel.

The group has been operating in Asia since from 2009 but there have been infections recorded in the United States, South Korea, Singapore, Germany, Ireland and many others, as well. It uses hotel Wi-Fi networks to target elite executives at organisations in manufacturing, defense, investment capital, private equity, automotive and other industries.

The group has access to zero day vulnerabilities and exploits, and it used them to infect victims. Threat actors use three different malware distribution methods including malicious Wi-Fi networks, booby-trapped P2P torrents, and highly customized spear phishing, Kaspersky Lab reported in research paper.

When the target executives connect their devices to the hotel’s Wi-Fi or wired Internet access, they are shown bogus software updates, typically something that looks legitimate, for Adobe Flash, Google Toolbar, or Windows Messenger. But these updates also contain a type of malware called a Trojan dropper bundled with more malware.

"When unsuspecting guests, including situationally aware corporate executives and high-tech entrepreneurs, travel to a variety of hotels and connect to the internet, they are infected with a rare APT Trojan posing as any one of several major software releases," the researchers wrote in a report published Monday. "These might be GoogleToolbar, Adobe flash, Windows Messenger, etc. This first stage of malware helps the attackers to identify more significant victims, leading to the selective download of more advanced stealing tools."

"At the hotels, these installs are selectively distributed to targeted individuals. This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the internet."

The trojan dropper then installs various keyloggers and other tracking applications in order to track each of the victim's keystrokes and scan browsers for saved passwords, exposing a wealth of trade secrets and other secret information to the Darkhotel group.

In addition, the Darkhotel malware has ability to manipulate trusted digital certificates by factoring the underlying private keys of the cloned certificates generated using 512-bit md5 keys. The ability of attackers to factor the weak keys for use in such malware attacks has long been known, as advisories issued from Fox-IT, Microsoft, Mozilla, and Entrust warned in 2011.

The DarkHotel malware operating group have also recently stolen third-party certificates to sign their malware.

In order to protect your device, the easiest way for you is to avoid connecting to hotel Wi-Fi networks or to any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.

Almost a year ago, at the ‘Hack In The Box’ security summit in Amsterdam, a security researcher at N.Runs and a commercial airline pilot, Hugo Teso presented a demonstration that it's possible to take control of aircraft flight systems and communications using an Android smartphone and some specialized attack code.

Quite similar to the previous one, a security researcher claims to have devised a method that can give cyber criminals access to the satellite communications equipment on passenger jets through their WiFi and in-flight entertainment systems.

Cyber security expert Ruben Santamarta, a consultant with cyber security firm IOActive, will unveil his research and all the technical details this week at a major Las Vegas hacker convention, Black Hat conference, showing How commercial airliner satellite communication systems can also be compromised by hackers, along with the evidence of satellite communications system vulnerabilities that questions the standards these systems are using.

Santamarta research paper titled “SATCOM Terminals: Hacking by Air, Sea and Land” explains that ships, aircraft and industrial facilities are all at risk of being compromised — perhaps with catastrophic results.

“We live in a world where data is constantly flowing. It is clear that those who control communications traffic have a distinct advantage. The ability to disrupt, inspect, modify or re-route traffic provides an invaluable opportunity to carry out attacks,” Santamarta wrote in his paper.

Till now, it’s just a claim, but if confirmed, could prompt a comprehensive restructure of aircraft security and other SATCOM terminals, and cast review on the way its electronic security have been managed in the past.

According to the researcher’s abstract of the talk made public, he will explain how devices sold by the world’s leading SATCOM vendors contain significant security flaws. IOActive also claimed to have determined that “100 percent of the devices could be abused” by an array of attack vectors.

"In certain cases no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from one ship to another ship can do it." Santamarta wrote in the description to his talk. He told Reuters, "These devices are wide open. The goal of this talk is to help change that situation."

Many of SATCOM vendors systems have hardcoded log-in credentials — same credentials used in multiple systems — giving hackers potential to steal credentials from one system and use them to access other systems, as a result of it, hackers can disable the communications and can interfere with the plane’s navigation.

The researcher discovered the vulnerabilities by "reverse engineering" the highly specialized software known as firmware, used to operate communications equipment made by Cobham Plc, Harris Corp, EchoStar Corp's Hughes Network Systems, Iridium Communications Inc and Japan Radio Co Ltd.

Meanwhile, he discovered a theory that a hacker could leverage a plane's onboard Wi-Fi signal or in-flight entertainment system to hack into its avionics equipment. This could allow them to disrupt or modify the plane's satellite communications, potentially interfering with the aircraft's navigation and safety systems.

However, it is really important to note that just because a security researcher can perform the hack, doesn't mean hackers are doing it or can easily perform it, too. Santamarta has also acknowledged that his hacks proving the theory have been carried out in controlled test, and he is not sure how practical the hack would be in the real world.

Furthermore, in the abstract of his talk, we are not provided any technical details or any specific details of the exploit, so we are required to wait until Santamarta's presentation later this week.

Still, a good news for those companies that make such equipments is that the researcher plans to reveal all the possible details of the exploit in his presentation to help them fix the issues in their vulnerable equipment.

A leading provider of advanced threat, security and compliance solutions, Tripwire, has announced that Craig Young, a security researcher from its Vulnerability and Exposure Research Team (VERT), is working on a paper about SSL vulnerabilities that will be presented at DEF CON 22 Wireless Village.

There are thousands of websites over Internet that contain serious mistakes in the way that Secure Sockets Layer and Transport Layer Security (SSL/TLS) is implemented, leaving them vulnerable to man-in-the-middle (MitM) attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information.

MitM attack is one of the common and favorite techniques of attackers used to intercept wireless data traffic. Cyber criminals could able to intercept sensitive user data, including credit card numbers, PayPal credentials and social network credentials as well.

Young has unearthed various situations where poor SSL implementations in combination with inbuilt weaknesses in the 802.11 WiFi standards result in certain flaws that can be easily exploited by attackers with “devastating real-world consequences”.

Researcher has also created a short video that demonstrates how a Pineapple WiFi can be easily hacked and exploited “to abduct, stalk, spy on or even physically harm unsuspecting victims.”

The WiFi Pineapple, Linux powered and runs the open-source Karma Wi-Fi attack program, is a small self-contained appliance designed to help security researchers conduct penetration testing in an unobtrusive manner. Since 2008, WiFi Pineapple has been serving penetration testers, law enforcement, military and government with a versatile wireless auditing platform for almost any deployment scenario.

In the conference, Young will give explanation on:

A general strategy for confirming that an SSL-based application performs appropriate certificate validation

How to recognize and examine trust manager implementations within a compiled Android APK

Craig Young is an award-winning cyber security expert, who has uncovered multiple router security holes, Google authentication vulnerabilities, and has filed numerous CVEs. He is currently working in a team of expert security researchers at VERT, a team dedicated to ensuring Tripwire customers have the most extensive protection possible.

Just a week back, a data forensic expert and security researcher detailed a number of undocumented features in Apple iOS devices at the Hackers On Planet Earth (HOPE X) conference held in New York on Friday.

The allegation by the researcher that iOS contains a “backdoor” permitting third parties to potentially gain access to large amount of users' personal data, provoked Apple to give a strong response.

Until now, we have seen how different smart home appliances such as refrigerators, TVs and routers could expose our private data, but now you can add another worry to your list —LED light bulb. Don’t laugh! It’s true.

Researchers at UK security firm Context have formulated an attack against the Wi-Fi connected lightbulbs, which is available to buy in the UK, that exposes credentials of the Wi-Fi network, it relies on to operate, to anyone in accessibility to one of the LED devices.

Security vulnerabilities found in the LIFX Smart light bulbs, that can be controlled by the iOS-based and Android-based devices, could allow an attacker to gain access to a “master bulb” and with the help of that they could control all connected bulbs across that network, and help them expose user network configurations.

Along with other Internet of Things (IoTs) devices, the smart bulbs are part of a rising trend in which the manufacturers enclose computing and networking capabilities to their devices so that it can be easily controlled remotely by using a smartphone, computer, and other network-connected device. LIFX ran a popular fundraising campaign in 2012 on Kickstarter, raising more than $1.3 million (£760,000) which was more than 13 times the original goal of $100,000 (£59,000).

But before delivering the smart bulbs to home consumers, the company failed to properly encrypt all data in the wireless protocols it used when enrolling new bulbs on the network. The oversight allowed the researchers to craft messages to the networked bulbs within about 30 meters, forcing them to obtain security credentials used to secure the connected Wi-Fi network.

The WiFi network credentials are captured in specific packets by passing from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the wifi details were encrypted by the Advanced Encryption Standard (AES), the researchers were able to obtain the secret key shared between bulbs on the network, making it easy for the attacker to decipher the payload.

"Armed with knowledge of the encryption algorithm, key, initialisation vector, and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the Wi-Fi details, and decrypt the credentials, all without any prior authentication or alerting of our presence," researchers from security consultancy Context wrote.

“It should be noted, since this attack works on the 802.15.4 6LoWPAN wireless mesh network, an attacker would need to be within wireless range, ~30 meters, of a vulnerable LIFX bulb to perform this attack, severely limiting the practicality for exploitation on a large scale.”

LIFX quickly responded to the Context findings and has now issued a firmware update to its smart bulb firmware, which encrypted all 6LoWPAN traffic and secured the process supporting new bulbs on the network.

The company said that it was unaware of any users being affected by the security issue and released LIFX security update.

“In rare circumstances the security issue could expose network configuration details on the mesh radio, requiring a person to dismantle a bulb, reverse engineer the debug connection and firmware, then be physically present with dedicated hardware within the bounds of your WiFi network (not from the internet). Eg. Someone hiding in your garden with complex technical equipment. No LIFX users have been affected that we are aware of, and as always we recommend that all users stay up to date with the latest firmware and app updates,” the firm said in a blog post.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Do you own a blog on WordPress.com website? If Yes, then you should take some extra cautious while signing into your Wordpress account from the next time when connected to public Wi-Fi, because it can be hacked without your knowledge, even if you have enabled two-factor authentication.

Yan Zhu, a researcher at the Electronic Frontier Foundation (EFF)noticed that the blogs hosted on WordPress are sending user authentication cookies in plain text, rather than encrypting it. So, it can be easily hijacked by even a Script-Kiddie looking to steal information.

HIJACKING AUTHENTICATION COOKIES

When Wordpress users log into their account, WordPress.com servers set a web cookie with name "wordpress_logged_in" into the users’ browser, Yan Zhu explained in a blog post. He noticed that this authentication cookie being sent over clear HTTP, in a very insecure manner.

One can grab HTTP cookies from the same Wi-Fi Network by using some specialized tools, such as Firesheep, a networking sniffing tool. The cookie can then be added to any other web browser to gain unauthorized access to the victim’s WordPress account and in this way a WordPress.com account could be easily compromised.

Using stolen cookies, an attacker can get access to the victim’s WordPress account automatically without entering any credentials and fortunately the vulnerability does not allow hijackers to change account passwords, but who cares? as the affected users would have no knowledge that their wordpress account has been hijacked.

“Hijacking cookie on WP gives you login for 3 years. There's no session expiration for the cookie, even when you log out.” Yan tweeted.

Using this technique, one can also see blog statistics, can post and edit articles on the hijacked Wordpress blog and same account also allows the attacker to comment on other Wordpress blogs from the victim’s profile. Sounds Horrible! Isn’t it?

But, an attacker “couldn't do some blog administrator tasks that required logging in again with the username/password, but still, not bad for a single cookie.” she explained.

She recommends that Wordpress ‘should set the “secure” flag on sensitive cookies so that they're never sent in plaintext.’

The Good news is that, if you own a self-hosted Wordpress website with full HTTPS support, then your blog is not vulnerable to cookies reuse flaw.

Recently, similar Cookies reuse vulnerability was discovered by 'The Hacker News' team on eBay website, that could allow an attacker to hijack eBay accounts without knowing the victims' actual credentials.